Avoid Email for Out-of-Band Authentication
Do not use email for secondary authentication steps to increase security.
Plain language
This control is about not using email as a second way to verify someone's identity when trying to access important information. Email can be hacked or misused, and if that happens during a verification process, an unauthorised person might get into your systems. This could lead to stolen data or other security troubles.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Email is not used for out-of-band authentication purposes.
Why it matters
Using email for out-of-band authentication exposes codes/links to mailbox compromise; attackers who access email can complete MFA and take over accounts.
Operational notes
Do not send OTPs or magic links via email. Use authenticator apps, FIDO2/WebAuthn or SMS, and verify enrolment/recovery flows exclude email.
Implementation tips
- IT manager should ensure alternative methods for out-of-band authentication are used. This means selecting a more secure option like text message verification, phone calls, or special apps that provide verification codes. Roll these out by training staff and updating security settings in all applications that require out-of-band authentication.
- Business owners should work with IT to review current authentication methods. Make a list of systems that rely on email for verifying identities and replace them with more secure options. Use new security tools that do not rely on email and ensure they are correctly integrated into daily operations.
- Security teams need to educate staff on the risks of email verification. Hold workshops or create easy-to-understand guides explaining why email isn’t safe for this purpose and what alternatives are being used. Regular communication helps everyone understand the changes and remember why they're important.
- System administrators should remove email verification options from existing systems. Update security settings and user guides to reflect new processes. This involves changing configuration settings in software to disable email for these verifications and testing the updated systems to make sure everything works smoothly.
Audit / evidence tips
- AskThe list of systems using out-of-band authentication methods: Request documentation showing which systems use secure alternatives to email for verification GoodThe document lists systems, chosen methods, and notes confirming email is not used
- AskTo see security training records: Request evidence of staff training regarding authentication changes GoodTraining logs showing participation and specific topics on avoiding email for authentication
- AskProcurement criteria documents: Request criteria used when purchasing software relating to authentication security GoodClearly written vendor requirements indicating email isn't accepted for verification
- AskTo see configuration settings: Request a demonstration of security settings on chosen systems GoodA settings page or screenshot proving email is not an active option for verification
- AskIncident response records: Request any incident reports related to authentication breaches. Look to see if emails were potentially involved in past incidents and what was done to mitigate GoodRecords confirming no email-related breaches due to proactive removal of email for verification
Cross-framework mappings
How ISM-2077 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-2077 requires that email is not used for out-of-band authentication purposes | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (5) expand_less | ||
| E8-MF-ML2.2 | E8-MF-ML2.2 requires MFA to authenticate unprivileged users of systems | |
| E8-MF-ML2.3 | ISM-2077 requires that email is not used as an out-of-band authentication channel | |
| E8-MF-ML2.5 | ISM-2077 requires that organisations do not use email for out-of-band authentication | |
| E8-MF-ML3.2 | E8-MF-ML3.2 requires phishing-resistant MFA for customers accessing online customer services | |
| E8-MF-ML3.3 | E8-MF-ML3.3 requires phishing-resistant MFA to protect access to data repositories from phishing attacks | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.